Safeguarding your business. A cybercrime and fraud protection video series with Ken Gavrity.
Join our Executive Vice President of Commercial Payments as he discusses the rise of digital fraud, emerging cybercrime trends, the red flags to watch out for, and how to help protect your business from cyberattacks, scams, and fraud.
Ken Gavrity:
These days, it’s more important than ever to protect your business from cybercrime and fraud.
Arming yourself with the latest information is crucial to safeguarding your business.
And we’re here to help you do just that.
As part of our commitment to client security, we’re bringing you a series of short videos.
Each will cover a leading trend in cybercrime … along with tips to help you prevent attacks on your business.
As you know, a great deal of business and financial activity has moved online.
And this trend was accelerated by the COVID19 outbreak.
Today, more people than ever work remotely, which has driven the Bring Your Own Device trend.
The increased use of personal laptops and phones to access company networks is making it more difficult for businesses to maintain a firm grip on security.
These modern-day conveniences are bringing about newer and greater challenges related to cybersecurity.
In the first quarter of 2022 alone, reported phishing incidents surged by 15%, exceeding one million attacks worldwide for the first time.
Our video series will cover the most predominant security threats …
from business email compromise to mobile device phishing and text spoofing.
For now, we’ll start with two fundamental best practices that will help you minimize the threat of cyberattacks on your business.
First, you should alert and educate your staff about the increased risk of fraud and corporate account takeovers.
According to the 2020 Global Identity and Fraud Report by Experian, 57% of enterprises report higher fraud losses due to account takeover.
Let your employees know that fraudsters will often use a web address or phone number that is deceptively close to one your employees know and trust.
Remind them to always review this information closely to make sure it’s legitimate before logging in or returning a call.
Next, put extra security measures in place, such as multifactor authentication tools.
This added layer of security helps ward off fraudsters and verify the identity of your authorized users.
With cybercrime on the rise, maintaining your company's security online is more important than ever.
We all have a role to play in fraud prevention.
KeyBank is here to help you understand the trends, so we can work together to keep your business safe.
Hi. I'm Ken Gavrity, and I run the Payments business for KeyBank.
In today’s environment, we’re constantly hearing about businesses under attack from cybercriminals.
At KeyBank, the security of our client accounts is one of our biggest priorities.
As cybercrime continues to evolve, we want to keep you informed of the emerging trends and what you can do to protect your business.
Consumers and businesses alike are receiving calls, texts and emails from fraudsters presenting themselves as their financial institution.
These criminals often claim to be investigating fraudulent activity on a client’s account.
A common tactic is to say they need to authenticate you as a client. They then ask for your login IDs, passwords and one-time security codes.
This is happening across the industry. And we have received reports of KeyBank clients being included.
Here is an example of an actual fraudulent text message one of our clients received.
Note the suspicious URL – a major red flag.
One client clicked on a fraudulent link such as this and was then tricked into sharing their username and password.
This resulted in a loss of over $100,000.
Watch out for schemes like this. Remember, don’t give out your passwords or credentials without validating who you are speaking to, especially when being contacted unexpectedly.
Here’s another real-world example from one of our clients.
It’s a fraudulent text message designed to look like it’s from KeyBank.
Fraudulent messages such as this often state that there’s an issue with a recent transaction and to contact them immediately.
In one case, the client user did contact the fraudster who then created a sense of urgency to obtain their login credentials.
Once received, the fraudster wired funds to themselves.
If you are contacted unexpectedly by someone claiming to be from KeyBank and requesting your confidential information, be suspicious and play it safe.
End the call and contact your payments advisor or relationship manager immediately to ensure your security.
If you use KeyNavigator, be sure to ONLY access your account through key.com.
And make sure your dashboard URL starts with keynavigator.key.com.
Never access KeyNavigator by using bookmarks, a search engine like Google or Bing or a search within a browser like Chrome or Internet Explorer. This could lead you to an imposter KeyNavigator site, resulting in credential hacking.
Key maintains close relationships with several national security firms. These experts keep us up to date on emerging threats and best practices for combating them.
And we want to share this information with our clients like you. Here are a few:
Number one. Identify weaknesses. Learn where you're most vulnerable and secure the easiest access points to help prevent breaches.
Two. Stay up to date. Using old systems or failing to adopt the latest security updates leaves you vulnerable. The cost of updating is typically miniscule in comparison to the price of a security breach.
And three. Remember that “security never sleeps.” Continuously review and test your security processes and procedures, measure progress, and adjust protocols and educate your employees.
Hearing from our KeyBank business and commercial banking clients is critical to helping us identify and combat threats.
Let your KeyBank payment advisor or relationship manager know if you encounter anything suspicious or if you think your accounts have been compromised.
Let’s keep each other informed and fight fraud – together.
As more employees work remotely and use their personal devices to conduct business, every individual becomes a potential avenue for cybercrime.
This is why business email compromise has become one of the most common and financially damaging forms of cybercrime.
In 2021, nearly 20,000 business email compromise incidents were reported, with losses of $2.4 billion.
Business email compromise is a more precise form of phishing, known as spear phishing.
And unlike phishing, spear phishing is narrowly targeted and highly personalized.
This makes it more deceptive for the recipient, and more effective for the hacker.
Business email compromise takes spear phishing a step further by pairing it with an imposter email address that very closely resembles that of a legitimate organization the recipient knows and trusts.
In some cases, fraudsters even hack into email accounts within the recipients' own company to send emails that request payments, security credentials or confidential information.
It’s alarming to learn that 76% of U.S. organizations were targeted through business email compromise in 2020.
Here are a few tips on what you and your employees can do to avoid these deceptive and dangerous attacks.
First, be suspicious of urgent emails asking you to change your payment information or method.
Anytime you are asked to add or change payment instructions, verify the change directly with your vendor. Be sure to contact them through a known phone number or email address – not the ones provided in the email.
Whenever an email is received – particularly one requesting payment changes or sensitive information – look closely at the “From:” field and check the email address against the sender’s actual address to make sure it matches.
And check it twice. The perpetrator may change only one or two letters to trick the recipient.
Other signs of an illegitimate email include messages that are poorly written, slight misspellings or suspicious attachments or links.
Consider conducting a phishing simulation to help your staff identify red flags.
And educate them about malicious apps and other consequences of clicking on phishing links.
Remember, for cybercriminals to succeed, the recipient must take some kind of action ‒ like clicking on the link or opening an attachment.
So always pause and think before clicking. Fraudsters purposely create a sense of urgency to rush people into taking action.
Work with your company’s IT resources to keep your software updated and make sure your systems are backed up.
Develop request authentication and wire transfer policies.
Install anti-malware and endpoint security solutions.
And incorporate multi-step authentication, firewalls and email filters.
Please share this video with your employees and clients so they become aware of threats and what to look for before sharing financial information or sending payments.
For more information on how to protect your business and clients from cybercrime, visit us online.
Hi, I'm Ken Gavrity, and I run the payments business for KeyBank.
Cybercrimes like phishing, vishing, and smishing are often confusing to many people, but they're seriously damaging to businesses and organizations everywhere.
As I covered in a previous video segment, phishing is when employees are tricked into revealing confidential information through a cleverly disguised email. Now, as more employees use their cell phones for work purposes, the act of phishing has become more prevalent on mobile devices.
Vishing is the term given to phishing activities that take place through phone calls or voicemail.
Smishing is the term for phishing attacks that take place through texting. More than half of organizations in the U.S. have encountered these types of mobile phishing attacks. Contributing to the trend is the fact that people are more likely to click a link on their phone as opposed to their computer. Here's an example of smishing. This is an actual fraudulent text message one of our clients received. The suspicious URL is a major red flag. One client clicked on a fraudulent link such as this and was then tricked into sharing their username and password. This resulted in a loss of over $100,000.
Fraudsters often use another tactic in conjunction with vishing and smishing, known as phone number spoofing. In this case, falsified caller ID information makes calls appear to come from a person or organization the recipient is unlikely to ignore. Once the call is answered, the fraudster will try to gain confidential information or encourage the recipient to click on a malicious link.
Trust your instincts when it comes to suspicious text or voice messages. Hang up immediately if the caller one, requests personal or confidential information for an unfamiliar purpose or event, two, asks yes and no questions, three, asks you to press phone buttons during the call, or four, becomes rude, impatient, or demanding.
To address the threat of text spoofing, never share sensitive information via text. Take a close look at the sender details, as they will often contain errors. Ignore demanding or urgent messages from unknown contacts.
And always think before you click links in text messages. Make sure they're coming from a reputable source.
We hope our fraud prevention videos help you, your employees, and your clients recognize the risks and red flags of cybercrime attacks. For more information on how to protect your business and clients from fraud, visit us online.
Hi, I'm Ken Gavrity, and I run the Payments Business for KeyBank. The number of people using their personal mobile devices on the job is higher than ever, which is why mobile device malware poses a major cybersecurity threat to virtually all businesses, regardless of industry, or size. But did you know your employees could be unknowingly doing things that make your business even more vulnerable to cyber crime?
Here's how. Often, people will bypass their mobile device's protection measures in order to control its operating system. This is called jailbreaking. People jailbreak their own phones to make customizations, or download third-party apps restricted by their default settings. This does make the device more vulnerable to malware and malicious apps. In 2021 alone, nearly 4,000 ransomware incidents were reported, resulting in losses of $49 million. This gives your business good reason to review employee policies and add restrictions that prevent the use of jailbroken mobile devices on company networks.
Another area where employees may unknowingly enable fraud is through their privileged access. This includes special access and abilities beyond that of an average user. It's typically granted to select people within an organization. These credentials when stolen provide an easy entry point for cyber criminals. So here are a few things you can do. Make sure your privileged access employees create uniquely strong passphrases and change them frequently. Ensure that your company networks require multi-factor authentications. Conduct red team, blue team simulations, where members of IT role play as attackers and attempt to exploit security weaknesses. When weaknesses are identified, address them to guard against real attacks. And practice the principle of least privilege, restricting users to the minimum access needed to do their jobs effectively.
We think you'll find these best practices helpful in reducing your risk of cyber attacks and data breaches. For more on how to protect your business and clients from fraud, visit us online.
For more information about KeyBank’s Core Fraud Solutions* and Merchant Fraud Solutions,* contact your Payments Advisor or Relationship Manager.